Not in the policy but in the information about what is actually implemented byI'm not sure whether I understand your suggestion.In your example above, you suggest to have simply a list of all currently valid key lengths?
an algorithm. I was not quite clear here.
But where do you have the validity periods of the particular values (key lengths)?As part of the policy, you make constraints about values, e.g. parameter 1 may only have this or that etc. You can CHECK such statements without knowing the actual semantics.
A second problem I see is, that some algorithms are defined by more than one parameter (e.g. DSA: 'p' and 'q'). So in the XML encoding, you have to distinguish the different parameters (e.g. via its name).There is the point. You do not have to distinguish any semantics of what p q, or keys or else would mean. I think a verifying entity can be made of two compoents: A very generic one, which verifies the conformity of ALL alogorithms and, for each algorithm implementation, a specific module which, depending on the algorithm implementation can indicate how some values are filled. The verification module does not need to know anything about the actual semantics of a particular parameter.
Compare this with SNMP: If you have some "box" with a mib, onlmy the box knows the semantics of the values, not the SNMP client and network supervision tools. They just can set value and display
textuals labels defined by a mib.If one wants to define policies about certain values, then the network tool need to know the specific mibs, there is no way to make a generic policy for each kind of mib. But in our case, the potential number of algorithms is not extremely high, and in any way, the policy will say not say more than
constraints of a few values.
Yes, the proble is how one assumes that an implementation would work. Who will check the policy? Is it part of the algorithm implementation, or part of a generic module that asks some partsin a policy one would only specify value constraints parameters for an actual algorithms,a kind of pattern which can always be checked, examplefirst parameter must be greater than 1023, second less than 8192 or whatever.>Do you mean to encode this pattern in XML? And for example such a pattern would say: 'If a value of 1024 is valid, every value greater than 1024 is also valid'?In principle I agree with you. We are also discussing the problem which arises if new algorithms are added (see Susanne's mail which also addresses this topic).
of the algorithm implementation to give 'its parameter 1 and 2'?
Thomas
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature